The art provides several manners by which a computerized system can be protected from malicious code:                a. Preventing unauthorized code (hereinafter, also referred to as “program” or “application”) from entering the system, by checking its validity (such as its signature, its originating source, etc.);        b. Performing a static and/or dynamic analysis of the program to ensure that it does not include malicious code;        c. Shielding the operating system from being exploited through known vulnerabilities by constantly patching such vulnerabilities as soon as they are exposed.        d. Monitoring the behavior of suspicious programs while they run on the system or on a sandbox.        
However, the abovementioned means of the prior art for protection of the computerized system suffer from at least one of the following flaws:                a. They require a prior knowledge by the protector either with respect to the code, to its origin, or to its behavior;        b. They require assumptions with respect to normal or anomalous behavior of the protected system.        c. They require prior knowledge of exploitable vulnerabilities, and will not identify a new (hitherto unknown) exploit.        d. They may detect the malicious behavior too late, after a significant damage has already been caused to the system including the protected resources.        e. It is not clear when and how the malicious activity is triggered, furthermore, modern malware use evasion and anti-forensics techniques which severely hinder their detection.        f. A previously certified program may at some stage open the gate for malicious code.        g. Malicious code may operate solely in memory without passing through the file system.        
The present invention is particularly, but not exclusively, applicable to any CPU whose ISA (Instruction Set Architecture) is available for compiler and/or assembler developers, where the programs' source code is given (Open Source). The concepts of the present invention can also be applied to binary code (Closed Source). Moreover, the present invention is particularly but not exclusively applicable to ‘isolated’ systems which are intended to run special purpose programs and are not designated to run a variety of third-party consumer applications; Yet the concepts of the present invention can be applied to other kinds of systems including mobile devices.
Over the last few years, there have been reports of highly protected computerized systems, even isolated ones, that were compromised by malicious programs. Unlike a regular consumer-oriented system, an isolated system is designated to run special purpose programs. Malicious exploitation of such systems may bear critical consequences. At the same time new kinds of devices such as smart phones are also compromised at an accelerating rate.
Open source programs are widely adopted in a wide range of domains, from smart phones to High Performance Computing (HPC). Open source programs may also be used in isolated systems.
It is therefore an object of the present invention to provide a method and system for protecting a computerized system from malicious code, either known or unknown, either on open source systems or on closed source systems.
It is another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which overcomes all the above mentioned drawbacks of existing means for detection and prevention.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which does not require any prior knowledge about the malicious program, its structure, its behavior, or its origin.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which does not require any assumption with respect to the normal or anomalous behavior of the protected system.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which does not require prior knowledge of exploitable vulnerabilities.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which can prevent any operation of an unauthorized program, or to route it to operate in a restricted supervised mode.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which is immune to common evasion and anti-forensics techniques.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code which bypasses the standard gate keeping mechanisms of a protected system.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code which operates solely in memory without passing through the file system.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which may either replace conventional protection means, or may cooperate with them.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which may be easily updated on a periodical basis, and may include random ingredients to thwart a bypass by the attacker.
It is a particular object of the present invention to provide a method and system which operates at a very low level of the system, for protecting a computerized system from malicious code.
Other objects and advantages of the present invention will become clear as the description proceeds.